samba - Sep 2022 - Group-based access instead of user-based?

On Fri, 2022-09-09 at 16:34 +0200, tom uijldert via samba
wrote:
> Hi,
> 
>  ?
> 
> Using the current V4.15.9-Ubuntu, a Windows client can access the
> top-level share, create a directory and browse there but not create a
> file in the subdir.
> 
> In the original setup (V4.13.7-Ubuntu), this was no problem and files
> and subdirs could be copied willy-nilly.
> 
> After rigorously hunting for differences in the setups I couldn?t
> find any.
> 
> So is there any changed default behaviour that I missed?
> 
> If not, suggestions on what to check?
> 
>  ?
> 
> Please find details below.
> 
>  ?
> 
> TIA,
> 
>     Tom.
> 
>  ?
> 
> Original setup: Ubuntu server 20.04 with smbd (etc) V4.13.7
> 
> New setup: Ubuntu server 22.04 with V4.15.9.
> 
>  ?
> 
> Joined to our domain as member server, all domain users are mapped to
> 1 unix account/group.
It would be better to recreate the group in AD (or use Domain Users
which all domain members are members of), delete the Unix group and
then use vfs_acl_xattr and set the permissions either from Windows od
with setfacl.

It would also help if you posted your smb.conf (that way we can confirm
how you are running Samba).
 
Rowland

Hi Rowland, 

Thanks for the tips, much appreciated. Please find my response below.

Thanks,
    Tom.

-----Original Message-----
From: Rowland Penny <rpenny at samba.org> 
Sent: 09 September 2022 17:39
>> 
>> Joined to our domain as member server, all domain users are mapped to
>> 1 unix account/group.
>
> It would be better to recreate the group in AD (or use Domain Users which
all domain members are members of), delete the Unix group and then use
vfs_acl_xattr and set > the permissions either from Windows od with setfacl.
The goal here is/was to have a directory that could be used fairly freely by all
domain members of that particular group.
This seemed to me the most simple and straightforward setup.
The unix security setting is simple and something I more or less "get"
where, frankly, the whole Windows ACL-stuff seems overly complicated. But
granted, that may be my limitation.
>
> It would also help if you posted your smb.conf (that way we can confirm how
you are running Samba).
Please find the smb.conf attached, it is the share [volwww] that we are testing.
For completeness sake I also included the mapping file (users.map).


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: users.map
URL:
<http://lists.samba.org/pipermail/samba/attachments/20220912/d8b92b1b/users.ksh>